Create an Azure Firewall test environment

This script sample creates a firewall and a test network environment. The network has one VNet, with three subnets: an AzureFirewallSubnet, and ServersSubnet, and a JumpboxSubnet. The ServersSubnet and JumpboxSubnet each have one 2-core Windows Server in them.

The firewall is in the AzureFirewallSubnet and is configured with an Application Rule Collection with a single rule that allows access to www.microsoft.com.

A user defined route is created that points the network traffic from the ServersSubnet through the firewall, where the firewall rules are applied.

You can run the script from the Azure Cloud Shell, or from a local PowerShell installation.

If you run PowerShell locally, this script requires the latest AzureRM PowerShell module version (6.9.0 or greater). To find the installed version, run Get-Module -ListAvailable AzureRM.

You can use PowerShellGet if you need to upgrade, which is built into Windows 10 and Windows Server 2016.

Note

Other Windows version require you to install PowerShellGet before you can use it. You can run Get-Module -Name PowerShellGet -ListAvailable | Select-Object -Property Name,Version,Path to determine if it is installed on your system. If the output is blank, you need to install the latest Windows Management framework.

For more information, see Install Azure PowerShell on Windows with PowerShellGet

Any existing Azure PowerShell installation done with the Web Platform installer will conflict with the PowerShellGet installation and needs to be removed.

Remember that if you run PowerShell locally, you also need to run Connect-AzureRmAccount to create a connection with Azure.

If you don't have an Azure subscription, create a free account before you begin.

Sample script


#ResourceGroup name and location
$RG="AzfwSampleScriptEastUS"
$Location="East US"

#User credentials for JumpBox and Server VMs
$securePassword = ConvertTo-SecureString 'P@$$W0rd010203' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("AzfwUser", $securePassword)


#Create new RG
New-AzureRmResourceGroup -Name $RG -Location $Location

#Create Vnet
$VnetName=$RG+"Vnet"
New-AzureRmVirtualNetwork -ResourceGroupName $RG -Name $VnetName -AddressPrefix 192.168.0.0/16 -Location $Location

#Configure subnets
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $RG -Name $VnetName
Add-AzureRmVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.1.0/24
Add-AzureRmVirtualNetworkSubnetConfig -Name JumpBoxSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.0.0/24
Add-AzureRmVirtualNetworkSubnetConfig -Name ServersSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.2.0/24
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#create Public IP for jumpbox and LB
$LBPipName = $RG + "PublicIP"
$LBPip = New-AzureRmPublicIpAddress -Name $LBPipName  -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Standard
$JumpBoxpip = New-AzureRmPublicIpAddress -Name "JumpHostPublicIP"  -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Basic

# Create an inbound network security group rule for port 3389
$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleSSH  -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow

# Create a network security group
$NsgName = $RG+"NSG"
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RG -Location $Location -Name $NsgName -SecurityRules $nsgRuleRDP

#Create jumpbox
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $RG -Name $VnetName
$JumpBoxSubnetId = $vnet.Subnets[1].Id
# Create a virtual network card and associate with jumpbox public IP address
$JumpBoxNic = New-AzureRmNetworkInterface -Name JumpBoxNic -ResourceGroupName $RG -Location $Location -SubnetId $JumpBoxSubnetId -PublicIpAddressId $JumpBoxpip.Id -NetworkSecurityGroupId $nsg.Id
$JumpBoxConfig = New-AzureRmVMConfig -VMName JumpBox -VMSize Standard_DS1_v2 | Set-AzureRmVMOperatingSystem -Windows -ComputerName JumpBox -Credential $cred | Set-AzureRmVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzureRmVMNetworkInterface -Id $JumpBoxNic.Id
New-AzureRmVM -ResourceGroupName $RG -Location $Location -VM $JumpBoxConfig

#Create Server VM
$ServersSubnetId = $vnet.Subnets[2].Id
$ServerVmNic = New-AzureRmNetworkInterface -Name ServerVmNic -ResourceGroupName $RG -Location $Location -SubnetId $ServersSubnetId
$ServerVmConfig = New-AzureRmVMConfig -VMName ServerVm -VMSize Standard_DS1_v2 | Set-AzureRmVMOperatingSystem -Windows -ComputerName ServerVm -Credential $cred | Set-AzureRmVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzureRmVMNetworkInterface -Id $ServerVmNic.Id
New-AzureRmVM -ResourceGroupName $RG -Location $Location -VM $ServerVmConfig

#Create AZFW
$GatewayName = $RG + "Azfw"
$Azfw = New-AzureRmFirewall -Name $GatewayName -ResourceGroupName $RG -Location $Location -VirtualNetworkName $vnet.Name -PublicIpName $LBPip.Name

#Add a rule to allow *microsoft.com
$Azfw = Get-AzureRmFirewall -ResourceGroupName $RG
$Rule = New-AzureRmFirewallApplicationRule -Name R1 -Protocol "http:80","https:443" -TargetFqdn "*microsoft.com"
$RuleCollection = New-AzureRmFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $Rule -ActionType "Allow"
$Azfw.ApplicationRuleCollections = $RuleCollection
Set-AzureRmFirewall -AzureFirewall $Azfw

#Create UDR rule
$Azfw = Get-AzureRmFirewall -ResourceGroupName $RG
$AzfwRouteName = $RG + "AzfwRoute"
$AzfwRouteTableName = $RG + "AzfwRouteTable"
$IlbCA = $Azfw.IpConfigurations[0].PrivateIPAddress
$AzfwRoute = New-AzureRmRouteConfig -Name $AzfwRouteName -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress $IlbCA
$AzfwRouteTable = New-AzureRmRouteTable -Name $AzfwRouteTableName -ResourceGroupName $RG -location $Location -Route $AzfwRoute

#associate to Servers Subnet
$vnet.Subnets[2].RouteTable = $AzfwRouteTable
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

Clean up deployment

Run the following command to remove the resource group, VM, and all related resources:

Remove-AzureRmResourceGroup -Name AzfwSampleScriptEastUS -Force

Script explanation

This script uses the following commands to create a resource group, virtual network, and network security groups. Each command in the following table links to command-specific documentation:

Command Notes
New-AzureRmResourceGroup Creates a resource group in which all resources are stored.
New-AzureRmVirtualNetworkSubnetConfig Creates a subnet configuration object
New-AzureRmVirtualNetwork Creates an Azure virtual network and front-end subnet.
New-AzureRmNetworkSecurityRuleConfig Creates security rules to be assigned to a network security group.
New-AzureRmNetworkSecurityGroup Creates NSG rules that allow or block specific ports to specific subnets.
Set-AzureRmVirtualNetworkSubnetConfig Associates NSGs to subnets.
New-AzureRmPublicIpAddress Creates a public IP address to access the VM from the internet.
New-AzureRmNetworkInterface Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzureRmVMConfig Creates a VM configuration. This configuration includes information such as VM name, operating system, and administrative credentials. The configuration is used during VM creation.
New-AzureRmVM Create a virtual machine.
Remove-AzureRmResourceGroup Removes a resource group and all resources contained within.
New-AzureRmFirewall Creates a new Azure Firewall.
Get-AzureRmFirewall Gets an Azure Firewall object.
New-AzureRmFirewallApplicationRule Creates a new Azure Firewall application rule.
Set-AzureRmFirewall Commits changes to the Azure Firewall object.

Next steps

For more information on the Azure PowerShell, see Azure PowerShell documentation.